Google Privacy Sandbox & GAID: Everything You Need to Know

Nadav Pesti
Nadav Pesti 20 April 2022
Google Privacy Sandbox & GAID: Everything You Need to Know


For the past two years, everyone in the mobile marketing industry has been talking about Apple’s deprecation of the IDFA post iOS 14. It came with a lot of limitations that affected the entire industry and made tracking users much more difficult. Now it’s Google’s turn. 

New privacy laws have been cropping up frequently around the world over the last few years, such as the EU’s GDPR. The world has become obsessed with data privacy, forcing tech companies to implement regulations that align with this. Apple and Google have been at the forefront of these regulatory changes. 

Apple wanted to draw the industry’s money into its SKAdNetwork and encourage advertisers to run ads through Apple Search Ads. As its main competitor, Google couldn’t sit back and let this happen. It couldn’t afford to stay silent and lose more and more ad revenue. That’s where the Google Privacy Sandbox comes into the picture, as no surprise to industry professionals. 

Apple Search Ads saw its most dramatic growth in the past year since iOS 14.5. It was evident Google would follow in Apple’s footsteps to get in on the action. 

Credit: GameDeveloper

Google has three identifiers. One of these identifiers is GAID – Google Advertising ID – which Google has now announced plans to deprecate, following Apple’s lead. 

Previously, mobile attribution relied solely on these user-level identifiers. Now, the landscape is changing to protect user-privacy from third-party data exchanges with device identifiers, while simultaneously ensuring advertisers can still continue with attribution effectively. Going forward, instead of attribution and tracking being done per user, it will be aggregated. 

What is Google Privacy Sandbox?

Before we delve into Google’s Privacy Sandbox specifically, we’ll answer the question: what is a sandbox? The term “sandbox” is used in the developer industry to mean “testing environment”. 

There was no way Google would not follow in Apple’s footsteps in appearing to protect its users. In reality, Google is more likely protecting its own pocket. That doesn’t mean it can’t guise the decision as one for its users benefit.

However, Google didn’t want to approach its privacy update with the same immediacy as Apple. Instead, it’s opting to give advertisers more time to prepare. As such, Google has revealed its intention to deprecate the GAID in a Privacy Sandbox – essentially a privacy testing environment – that will take up to two years to reach completion. The start of the changes took place on 04/01/22 (April 1st), the point from which advertisers and developers need to declare a Google Play services permission within an app’s manifest files. We delve deeper into this below. 

Google has specifically called its proposal a Privacy Sandbox to highlight how the update is not yet ready or released. It appears Google would like to deliver a message to all advertisers and platforms such as Facebook. That message is that Google is not Apple, therefore it’s not going to leave the industry in the dark. Instead, it’s going to offer solutions that have undergone rigorous testing to benefit both user privacy and the industry itself. 

The Privacy Sandbox is Google’s plan to create ways for apps to access user data without compromising user privacy. It’s specifically designed so that mobile advertising, measurement, and tracking are all still possible in a world without device identifiers. 

Why is Data Privacy on the Rise?

Privacy has been a buzzword in the mobile and digital marketing industries for many years now. There’s been a shift towards heightened user privacy with every passing year. The industry big players such as Facebook, Google and Apple have been under scrutiny for profiting off user data. This monetization was grouped together with increasing lack of trust spearheaded by data breaches and growing sentiment for more security when it comes to people’s most valuable asset: their data. 

Recent years saw the implementation of dramatic data privacy laws globally, from GDPR in EU countries to CCPA in California. This further spurred the media’s obsession with data privacy, which in turn fed into the mind of global users. That’s why we’re now in an era of tech companies introducing new privacy updates left, right and center. 

Google’s incentive to deprecate its identifier is less than Apple’s was. Identifiers specifically help with ad tracking and optimization, and Google’s revenue comes primarily from advertising. Consequently, anything that benefits ad tracking means more revenue for Google. Anything that restricts it in turn risks their main source of revenue. 

However, Google cannot be left behind in a totally different advertising ecosystem. It has to keep up, and doing so requires pleasing its customers and global regulators who are becoming increasingly privacy-focused.

GAID vs IDFA Deprecation

There are numerous differences between the way Apple handled its IDFA deprecation and how Google is handling its GAID deprecation. These differences have significant ramifications on the mobile advertising industry, so let’s dive into them below. 

Timing, Documentation & Testing

The GAID deprecation does not pose the same level of limitations as the IDFA deprecation. Firstly, that there are two years for it to complete is one less limitation than Apple’s almost immediate deprecation. 

Apple made its changes without much notice, it announced the change in transparency almost as soon as it was happening. Conversely, Google released its proposal in the Privacy Sandbox, but developers can use existing platform features for at least two years. Google has promised to “provide substantial notice ahead of any future changes”. It is essentially reassuring marketers and developers that it will not follow in Apple’s footsteps at least in this regard. 

Google has provided much more than Apple in the form of documentation and a dedicated testing framework too. Eventually, the GAID will be deprecated. First, Google must ensure advertisers still can and want to run effective user acquisition campaigns on its devices and platforms. After all, it’s the biggest ad network globally, and measurement is a vital component of its success. Around 80% of Google’s entire revenue comes from advertising (which is incomparable to Apple’s more ambiguous percentage). Advertisers having the ability to target effectively on Google is crucial. 


The second difference between the GAID and IDFA deprecations is that Google will list APIs within an SDK for every marketing resource that advertisers might need. Apple did not do this. For example, advertisers will be able to specifically track retargeting campaigns. Most primary advertising use cases will be supported, including targeting, retargeting, attribution and measurement. It will be an open source that developers can work on.

Known as SDK Runtime, the SDK will be similar to the iOS equivalent – SKAdNetwork – but with a more holistic approach to appeal to a wider variety of advertisers, app developers and app users. It will come with numerous solutions to improve the user privacy experience and help ad publishers with specific verticals such as retargeting, Gaming and E-commerce. It will also offer a new and safe way for apps to integrate with third-party advertising-related SDKs. 

SKAdNetwork is more of a general solution that we have no control over. In its more comprehensive offering, it appears that Google is attempting to avoid the “bad guy” tarnishing that Apple received. It wants to imply that it only cares about preventing privacy issues and making advances. Both SKAdNetwork and Google’s Privacy Sandbox seem, at surface level, to protect user privacy.

Although the unique solutions will be suited to different verticals and use cases, the general idea will be the same. Google will not pass on user level data anymore. It will also be limiting fingerprinting, just like Apple did with iOS 14 and iOS 15. It’s all part of heading further into the new privacy era. 

iOS vs Android Users

A factor that comes into play here is also the difference between iOS and Android users. iOS users tend to be more engaged and spend more money within apps than Android users. The perceived lower value of Android users means marketers need more of an incentive to track them, so Google has to introduce a strong solution. Anything more difficult than iOS 14’s solution will give marketers even less reason to track Android users. Instead, they would likely maintain their focus solely on iOS users. They already know what’s happening there, they already have the solutions worked into their processes, they know the users are high quality. So why would they waste time on Google if the solution is poor? 

Fortunately, this time the changes come as less of an industry challenge because marketers have already had to shift after Apple’s changes. What’s more, there’s not much that marketers can do in regards to Google’s plans. All that’s needed is a line of code to be implemented into the Android Manifest. Thus, it’s simply not as dramatic as the iOS changes. 

Attribution Reporting API

To ensure that advertisers are still able to run effective user acquisition campaigns on Google and Android devices in a post-device identifier world, Google intends to create the Attribution Reporting API. 

Within the API, advertisers will be able to:

  • Store views and clicks reported by ad networks/ sources
  • Store conversion events/ triggers like installs, purchases and signups
  • Match reported conversion events with reported views/ clicks that are stored on the device
  • Send the data out to ad networks/ mobile measurement partners (MMPs)/ advertisers via event-level reports and aggregatable reports

Advertisers will be able to send up to three conversion events at separate times. Each will be attributed to the appropriate view or click stored on the device. The first conversion event will likely be used for the install, with the following two saved for KPIs that can occur later in the user journey. 

How to Prepare for GAID Deprecation

For now, the first thing you should focus on is updating your app’s code. You must ensure it’s in line with the new regulations (should you wish to target Android 12 users, that is). Following the GAID deprecation and Google Privacy Sandbox announcement, all apps that want to target Android 12 users must declare a new permission in its <AndroidManifest> file in order to access each device’s Android Advertising ID. The <AndroidManifest> is a line of code within the SDK.

The sooner this permission is implemented, the sooner the SDK can start reading the Advertising ID on all devices. 

The only caveat is if your app is children-facing. In which case the permission should not be added to the SDK since the Advertising ID cannot be collected by these apps. 

Beyond updating the code, another step advertisers and app developers should take to prepare is shifting focus to first-party data. Google will allow the use of first-party data without the same heavy restrictions because the user has consented to sharing their data with that specific app. On the flip side, third-party data requires the exchange of data between two or more parties without the user necessarily consenting. That is precisely what will now be restricted with Google’s updates.


Nadav Pesti
Nadav Pesti
Nadav is Moburst's Head of Media Integrations & Data Analysis. He's an experienced growth hacker who specializes in helping our clients accelerate the development of their digital businesses through data-driven decision-making. He has an extensive technical understanding of performance marketing, social platforms, and analytics, as well as an eye for uncovering new trends and improving performance.
Sign up to our newsletter

Looking for something else? Growing together is so much faster!
Choose Service(s)(Required)

Related Articles